Summary: The “Cookie-Bite” attack leverages a malicious Chrome extension to steal session cookies from Azure Entra ID, allowing attackers to bypass multi-factor authentication (MFA) and gain unauthorized access to cloud services such as Microsoft 365. Although the tactic of stealing session cookies has been seen before, the attack’s stealth and persistence make it particularly concerning. Security measures, including conditional access policies and stricter Chrome extension controls, are recommended to mitigate the risk.
Affected: Azure Entra ID, Microsoft 365, Outlook, Teams
Keypoints :
- The attack uses a malicious Chrome extension to capture Azure session cookies, specifically targeting ‘ESTAUTH’ and ‘ESTSAUTHPERSISTNT’.
- Attackers can reinject stolen cookies into their browser, bypassing MFA, and gain full access to the victim’s cloud services.
- Implementation of conditional access policies and restrictions on Chrome extension usage is advised to enhance security against such attacks.